Uber's concealed data breach affects 57 million users

FILE - In this Wednesday, March 15, 2017, file photo, an Uber car drives through LaGuardia Airport in New York. (Seth Wenig, File)

KGO

by abc7news.com staff

Tuesday, November 21, 2017

SAN FRANCISCO (KGO) --

Uber revealed on Tuesday that hackers were able to download personal information on 57 million users around the world, including names, email addresses and mobile phone numbers. It also revealed that it had known about the hack for close to a year without notifying customers or drivers.

"You may be asking why we are just talking about this now, a year later," wrote Khosrowshahi in a blog post. "I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it."

Khosrowshahi explained that the incident happened in late 2016 and involved two hackers accessing data on a third party cloud-based service. He said that Uber's corporate systems were not impacted, but the hackers also got the names and license numbers of around 600,000 drivers in the United States in addition to riders data.

Uber claims its forensics experts determined that no trip location history, credit card numbers, bank account numbers, social security numbers or of dates of birth were downloaded. They also claim that they were able to identify the hackers and get guarantees that the downloaded data was destroyed.

Bloomberg news reports that the company paid the hackers $100,000 to delete the data and keep the breach quiet. They also report that Uber's chief security officer Joe Sullivan and one of his deputies were ousted earlier this week.

Uber confirmed that two people who led the response to this incident are no longer with the company.

"As Uber's CEO, it's my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of," wrote Khosrowshahi. "For that to happen, we have to be honest and transparent as we work to repair our past mistakes."

Uber said it is notifying regulatory authorities and offering free credit and identity theft monitoring for drivers.

"None of this should have happened, and I will not make excuses for it," Khosrowshahi wrote. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business."

This is not the first time that Uber's data has been breached. In 2014 the data of 50,000 Uber drivers was compromised in another hack. Attorneys for Uber pointed the finger at rival Lyft but the identity of the hacker was never determined.

Drivers affected in that breach filed a lawsuit against Uber in that case.